Page MenuHomeFreeBSD
Differential D11328

security/libu2f-host: add USERS/GROUPS framework
ClosedPublic
Actions

Authored by cpm on Jun 23 2017, 6:22 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 10, 6:31 PM
Unknown Object (File)
Tue, Dec 10, 1:25 PM
Unknown Object (File)
Fri, Nov 29, 7:30 AM
Unknown Object (File)
Sun, Nov 24, 7:13 PM
Unknown Object (File)
Sat, Nov 23, 9:55 PM
Unknown Object (File)
Sat, Nov 23, 3:48 PM
Unknown Object (File)
Fri, Nov 22, 12:44 PM
Unknown Object (File)
Wed, Nov 20, 3:17 AM
View All Files
Subscribers
None

Details

Reviewers
uqs
bapt
jbeich
hselasky
Commits
rP446043: - Fix LICENSE
Summary
- Fix LICENSE
- Use GROUPS
- Add sample config file
- Add pkg-message
- Take maintainership

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

cpm created this revision.Jun 23 2017, 6:22 PM
cpm added a reviewer: bapt.Jul 10 2017, 12:03 PM
cpm added a comment.Jul 10 2017, 12:07 PM

Hi Baptiste,

Would you mind to add the u2f.conf to the port that you've already committed?

Thanks

uqs added inline comments.Jul 10 2017, 12:58 PM
security/libu2f-host/pkg-plist
2 ↗(On Diff #30007)

All your rules do is change permissions, shouldn't you be using devfs.rules for this instead of devd actions?

cpm added inline comments.Jul 10 2017, 1:08 PM
security/libu2f-host/pkg-plist
2 ↗(On Diff #30007)

It was discussed with hselasky@

I want to hear bapt's opinion, because he has already committed this port.

cpm added a comment.Jul 10 2017, 1:45 PM

u2f.conf changes the permissions of the $cdev node of the ugen device so that the libu2f-host can access this devices on FreeBSD.

Please feel free to comment or propose changes.

cpm added a reviewer: jbeich.Jul 12 2017, 6:26 PM
jbeich edited edge metadata.Jul 14 2017, 2:21 PM

Can you update diff against the existing port?

security/libu2f-host/files/u2f.conf.in
6 ↗(On Diff #30007)

Did you convert devd rules from udev via script? If so please add it under /usr/ports/Tools/scripts/ or create USES.

8 ↗(On Diff #30007)

This grants r/w access for default group which is probably wheel unless overriden via /etc/devfs.rules. Maybe create a dedicated group (e.g. u2f) and document it somewhere (manpage or pkg-message). Here're a few examples:

  • comms/telldus-core/files/patch-tdadmin-freebsd-devd-tellstick.conf
  • devel/msp430-debug-stack/files/mspfet.conf
  • print/cups/files/cups.conf.sample
  • graphics/sane-backends/files/pkg-message.in
security/libu2f-host/pkg-plist
2 ↗(On Diff #30007)

Can you quote the discussion or post a link to the achived copy?

bapt edited edge metadata.Jul 14 2017, 2:32 PM

sorry I have missed that review

if you want to grab the port and make it yours, feel free to grab it :)

I would prefer a devfs.rules but maybe the devd conf file is more userfriendly

security/libu2f-host/files/u2f.conf.in
8 ↗(On Diff #30007)

I agree

cpm added a reviewer: hselasky.Jul 16 2017, 12:54 PM
cpm added a comment.Jul 16 2017, 12:57 PM
In D11328#240123, @bapt wrote:

sorry I have missed that review

if you want to grab the port and make it yours, feel free to grab it :)

I would prefer a devfs.rules but maybe the devd conf file is more userfriendly

Thanks Baptiste!

I hope that Hans will shed some light on the device permissions then I'll proceed to change the port accordingly.

cpm marked an inline comment as done.Jul 16 2017, 1:18 PM
cpm added inline comments.
security/libu2f-host/files/u2f.conf.in
6 ↗(On Diff #30007)

Indeed, writing an converter script would be useful, but I did it from scratch.

8 ↗(On Diff #30007)

Thanks for pointing this out! I need to dig more to be completely sure.

security/libu2f-host/pkg-plist
2 ↗(On Diff #30007)

Please, take a look at your inbox.

hselasky edited edge metadata.Jul 16 2017, 1:28 PM

It might be better if this library installed its own group which these devices are chowned to?

cpm updated this revision to Diff 30833.Jul 16 2017, 3:02 PM
cpm marked an inline comment as done.
cpm edited the summary of this revision. (Show Details)
cpm added a comment.Jul 16 2017, 3:07 PM
In D11328#240492, @hselasky wrote:

It might be better if this library installed its own group which these devices are chowned to?

Regarding device permissions, please check if I forgot anything else.

Thanks for your quick reply, Hans

cpm retitled this revision from security/libu2f-host: Yubico Universal 2nd Factor (U2F) Host C Library to security/libu2f-host: add USERS/GROUPS framework.Jul 16 2017, 3:48 PM
cpm updated this revision to Diff 30834.Jul 16 2017, 3:56 PM

Update diff against r445430

hselasky accepted this revision.Jul 16 2017, 4:03 PM

Looks good to me with regards to the USB bits and the devd script. I'm not sure if you should install u2f.conf directly or postfixed with .sample which will require user-interaction.

This revision is now accepted and ready to land.Jul 16 2017, 4:03 PM
cpm added a comment.Jul 16 2017, 4:08 PM
In D11328#240516, @hselasky wrote:

Looks good to me with regards to the USB bits and the devd script. I'm not sure if you should install u2f.conf directly or postfixed with .sample which will require user-interaction.

Well, I think that just installing u2f.conf would be enough. Maybe adding a note in pkg-message to remind consumers that they should restart devd?

Thanks again :)

cpm added a comment.EditedJul 16 2017, 4:22 PM
In D11328#240519, @cpm wrote:
In D11328#240516, @hselasky wrote:

Looks good to me with regards to the USB bits and the devd script. I'm not sure if you should install u2f.conf directly or postfixed with .sample which will require user-interaction.

Well, I think that just installing u2f.conf would be enough. Maybe adding a note in pkg-message to remind consumers that they should restart devd?

Here is an example:

======================================================================
                            
Note that a sample file is installed in %%PREFIX%%/etc/devd/u2f.conf
to allow u2f access permissions.

You should only restart devd with the command:
# service devd restart

======================================================================
cpm updated this revision to Diff 30835.Jul 16 2017, 4:28 PM
cpm edited edge metadata.
cpm edited the summary of this revision. (Show Details)
  • Fix LICENSE
  • Rewrite pkg-message to remove redundant information.
This revision now requires review to proceed.Jul 16 2017, 4:28 PM
bapt accepted this revision.Jul 16 2017, 5:18 PM
This revision is now accepted and ready to land.Jul 16 2017, 5:18 PM
jbeich added inline comments.Jul 16 2017, 5:40 PM
GIDs
172 ↗(On Diff #30835)

Maybe pick group-only free number e.g., 116, 141, 151.

UIDs
177 ↗(On Diff #30835)

Maybe drop this, so GIDs can reserve group-only number.

security/libu2f-host/Makefile
31 ↗(On Diff #30835)

Why do you need a separate user as well? Does the port install a daemon and/or rc.d script?

security/libu2f-host/files/pkg-message.in
3 ↗(On Diff #30835)

"Note that" is redundant.

7 ↗(On Diff #30835)

You're forgetting the user has to be part of u2f group. Maybe rephrase the whole file e.g.,

The package requires read/write access to USB devices. To facilitate
such access it comes with a devd.conf(5) file, but you still need to
restart devd(8), add the desired users to "u2f" group and log those
out of the current session. For example:

  $ pw group mod u2f -m <user>
  $ shutdown -r now

For details, see %%PREFIX%%/etc/devd/u2f.conf
security/libu2f-host/pkg-plist
11 ↗(On Diff #30835)

Can you alphabetically sort as if @sample was absent? See the output from make restage && make makeplist.

cpm updated this revision to Diff 30840.Jul 16 2017, 5:58 PM
cpm edited edge metadata.
cpm edited the summary of this revision. (Show Details)
  • Use only GROUPS
  • Rewrite pkg-message according to Jan's proposal
  • Sort pkg-plist
This revision now requires review to proceed.Jul 16 2017, 5:58 PM
cpm marked 5 inline comments as done.Jul 16 2017, 5:59 PM
cpm marked an inline comment as not done.
jbeich added a comment.Jul 16 2017, 6:02 PM
This comment was removed by jbeich.
jbeich accepted this revision.Jul 16 2017, 6:09 PM

Don't forget to bump PORTREVISION.

Macro lgtm:

This revision is now accepted and ready to land.Jul 16 2017, 6:09 PM
cpm added a comment.Jul 16 2017, 6:39 PM

Thank you all for the great review!

Closed by commit rP446043: - Fix LICENSE (authored by cpm). · Explain WhyJul 16 2017, 6:57 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
2 lines
security/
libu2f-host/
13 lines
files/
13 lines
91 lines
1 line

Diff 30841

View Options

head/GIDs

Loading...
View Options

head/security/libu2f-host/Makefile

Loading...
View Options

head/security/libu2f-host/files/pkg-message.in

Loading...
View Options

head/security/libu2f-host/files/u2f.conf.sample

Loading...
View Options

head/security/libu2f-host/pkg-plist

Loading...